b'                                                                       AUDIT NO. I-PA-EAC-02-12\n\n                      U.S. ELECTION ASSISTANCE COMMISSION\n                               Office of Inspector General\n\n\n\n\nIndependent Audit of U. S. Election Assistance Commission\xe2\x80\x99s 2012\nInformation Security Program\n\n\n                                    Executive Summary\n\nIn accordance with the Federal Information Security Management Act (FISMA), the Office of\nInspector General (OIG) engaged Leon Snead & Co. P.C. (LSC), an independent certified public\naccounting firm, to conduct an audit of the U.S. Election Assistance Commission\xe2\x80\x99s (EAC)\ncompliance with the OMB Circular A-130 and FISMA requirements. FISMA requires federal\nagencies, including EAC, to perform annual independent evaluations of their information\nsecurity programs and practices and report the results to the Office of Management and Budget\n(OMB). FISMA states that annual evaluations shall be performed by the agency Inspector\nGeneral or by an independent external auditor, as determined by the Inspector General. The\nobjective of this audit was to assess whether the EAC had developed, documented, and\nimplemented an agency-wide information security program, as required by OMB Circular A-130\nand FISMA.\n\nBackground \xe2\x80\x93 The E-Government Act (Public Law 107-347) was signed into law in December\n2002. Title III of the E-Government Act entitled the Federal Information Security Management\nAct (FISMA) requires each federal agency to develop, document, and implement agency-wide\nprogram to provide information security for the information and information systems that\nsupport the operations and assets of the agency \xe2\x80\x93 including those provided or managed by other\nagencies, contractors, or other sources.\n\nThe National Institute of Standards and Technology (NIST) is directed by FISMA to develop\nrisk-based standards and guidelines, including minimum requirements, for information systems\nused or operated by an agency or by a contractor of an agency or other organization on behalf of\nthe agency or other national security systems. OMB establishes policy for management of\nfederal information resources and annual requirements under FISMA.\n\nSummary of Audit - LSC concluded that EAC was in substantial compliance with FISMA\nrequirements, OMB policy and guidelines, and applicable NIST standards and guidelines for the\nsecurity control areas that were evaluated. LSC determined that EAC had developed an agency-\nwide internet technology security program based upon assessed risk, and the security program\nprovided reasonable assurance that the agency\xe2\x80\x99s information and information systems were\nappropriately protected. However, LSC did note one area relating to the vulnerability scans of\nEAC\xe2\x80\x99s internal network where EAC\xe2\x80\x99s controls and processes could be further strengthened.\nEAC officials took action to address the vulnerabilities identified. LSC tested the actions taken\nby EAC officials and confirmed corrective actions had been taken.\n\x0cRecommendations and Management Comments \xe2\x80\x93 On September 17, 2012 EAC officials\nprovided a written response to the draft report. In the response, EAC officials concurred with the\nfindings and recommendations, and provided a detailed plan that was responsive.\n\nThis report contains sensitive information concerning the EAC\xe2\x80\x99s information security program.\nAccordingly, we do not plan to release the report publicly.\n\x0c'